search

glpi-project / glpi-agent

GLPI Agent
GNU General Public License v2.0
212 stars 51 forks source link

Collect Task not working when a proxy is set via HTTP #645

Closed JulienRemi closed 4 weeks ago

JulienRemi commented 2 months ago

Bug reporting acknowledgment

Yes, I read it

Professional support

None

Describe the bug

The agent doesn't put cookies informations in his POST request for the collect task when a proxy is set in the GLPI-agent configuration.

Here is the request when no proxy is set up : image

And with a proxy :
image

I received the Set-cookie header in both case in the previous request.

Then, the collect task throw an error on the POST request when a proxy is used by the agent, because it receive an html Access Refused page : 

[Thu Apr  4 16:17:52 2024][debug2] [http client] POST: action=setAnswer&_sid=7&_cpt=1&uuid=660eb484740a3&tag=XXXXXX
[Thu Apr  4 16:17:52 2024][debug] [http client] Using 'http://111.111.111.111:1111' as proxy for http protocol
[Thu Apr  4 16:17:52 2024][error] [http client] Can't decode JSON content, starting with:
<!DOCTYPE html>
<html lang="fr"       >
<head>
   <title>Accès refusé - GLPI</title>

   <meta charset="utf-8" />

      <meta http-equiv="X-UA-Compatible" content="IE=edge" />
...

There is an error in the access-error.log file on the server :
CSRF check failed for User ID: at /plugins/glpiinventory/b/collect/?action=setAnswer&uuid=660eb484740a3&method=POST

The collect task work well when no proxy is set.

To reproduce

  1. Setup the glipiinventory-agent config with a proxy.
  2. Create a collect task for that computer
  3. Run the agent

Expected behavior

Collect task working like it does without proxy

Operating system

Windows

GLPI Agent version

1.7.3

GLPI version

10.0.14

GLPIInventory plugin or other plugin version

GLPI Inventory v1.3.5

Additional context

No response

g-bougard commented 2 months ago

Hi @JulienRemi

just to clarify, did you exchange the 2 screenshots ?

I see an ip staring with 194. and another starting with 14. which one is the proxy and which one the GLPI server ? Also can you confirm we don't see 14. because you forgot a 9 in the middle somewhere.

JulienRemi commented 2 months ago

Hi,

Yes I did exchange the two screenshot sorry I will edit my post. But no, It's not an error in the IP, the 14. is the server address through the proxy. And the 194, without.

Here is the same request with an agent on a local network : image

g-bougard commented 2 months ago

Can you confirm what kind of proxy you're using and how you configured it in glpi-agent ? This should help me to reproduce.

JulienRemi commented 2 months ago

It's a forward proxy but it's something global to our compagnie and I don't have the hand on it. I use the proxy parameter of the agent : "http://[Proxy IP]:[Port] "

g-bougard commented 1 month ago

Hi @JulienRemi

I just had time to try your issue.

As my test instance supports http & https accesses, I can tell you:

  1. if I uses https url, I don't have the problem
  2. if I uses http url, I have the problem. But in that case, I had to set "Agent Base URL" to the http url in the "Assets" tab in Entities Administration. If I don't do that GLPI asks GLPI Agent to use the https url for following POST request and the Collect task works in that case.

So can you clarify few points ?

  1. Does your GLPI support https ? If not, can you enable this support and try using https ?
  2. Have you set "Agent Base URL" in the "Assets" tab in your entity Administration ? And if yes, is this set to a http url ?
JulienRemi commented 1 month ago

Hi,

  1. I'm currently not using https
  2. No, the "Agent Base URL" is not set up
g-bougard commented 1 month ago

Hi @JulienRemi

for what I read, the cookies support standard seems only supported through proxy for https requests. This should be of course for security reasons: don't leave a chance to the proxy to hijack security related cookies and permits the proxy to perform a MITM attack.

So by now, I think you should just manage to use (or enable and use if you still didn't configure it) SSL through the proxy.

JulienRemi commented 1 month ago

Ok I see thanks. But why every other tool works fine (Inventory, deploy, network scan, esx scan ...) ?

g-bougard commented 1 month ago

They don't require csrf cookie.

g-bougard commented 4 weeks ago

Hi @JulienRemi

I think we can close this issue.

Feel free to reopen if you think I'm wrong.

JulienRemi commented 4 weeks ago

Hi @g-bougard,

Well, I would like to have the collect working in http too, because why only this task use csrf cookies ?

g-bougard commented 4 weeks ago

Only this task uses multiple POST requests and, in that case, CSRF is required to avoid any possible man-in-the-middle attack.

Using HTTP to make such advanced task is definitively not a good option. You should definitively implement SSL support on your server.